00. Exposing a Currently Active Free Rogue VPN Domains Portfolio Courtesy of the NSA 
- An OSINT Analysis 
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01. Introduction to WHOIS XML API 


WhoisXML API is one of the Web’s and the security industry’s primary destinations for threat 
intelligence and cybercrime research including OSINT type of domain IP and current and 
historical WHOIS data records with billions of domain IP and WHOIS records within WhoisXML 
API’s database where novice and experienced cybercrime researchers threat intelligence 
analysts including OSINT experts and analysts should consider adopting WhoisXML API's in 
their arsenal of OSINT tools and public database repositories and databases largely considering 
the tool as their primary information source and threat intelligence gathering tool and publicly 
accessible database in terms of using it in their current and ongoing OSINT and cybercrime 
including threat intelligence type of investigations. 


02. How to get a proper account 


Cybercrime researchers and threat intelligence analysts interested in obtaining access to one of 
the Web’s and the industry’s most comprehensive and in-depth data set of real-time and 
historical domain IP and WHOIS information should grab an account from the following URL - 
https://main.whoisxmlapi.com/signup for the purpose of beginning their OSINT and cybercrime 
research including their threat hunting and threat intelligence gathering process. 


Product Tier 1 Tier 2 Tier 3 Tier 4 Tier 5 Tier 6 Units 

WHOIS and Bulk WHOIS 100,000 500,000 1,000,000 2,000,000 5,000,000 10,000,000 Monthly queries 
Domain Availability 100,000 500,000 1,000,000 2,000,000 5,000,000 10,000,000 Monthly queries 
IP Geolocation 50,000 100,000 200,000 500,000 1,000,000 2,000,000 Monthly queries 
IP Netblocks 50,000 100,000 200,000 500,000 1,000,000 2,000,000 Monthly queries 
DNS Lookup 100,000 200,000 500,000 1,000,000 2,000,000 4,000,000 Monthly queries 
Email Verification 50,000 100,000 200,000 500,000 1,000,000 2,000,000 Monthly queries 
Domain Reputation 50,000 100,000 200,000 500,000 1,000,000 2,000,000 Monthly queries 
Website Categorization 50,000 100,000 200,000 500,000 1,000,000 2,000,000 Monthly queries 
Website Contacts 50,000 100,000 200,000 500,000 1,000,000 2,000,000 Monthly queries 


Sample WhoisXML API Pricing Plans Web Site 
03. How to install Maltego 


For the purpose of this case study we’ll use the popular OSINT gathering and enrichment tool 
Maltego which you can grab from the following URL - httos://www.maltego.com/downloads/ on 
your way to begin using and utilizing WhoisXML API’s advanced domain IP and historical and 
current WHOIS information and one of the Web’s and the industry’s most comprehensive and 
in-depth database. 


= Maltego for Windows 


SELECT A FILE TYPE 
.exe + Java (x64) Vv 
https://maltego-downloads.s3.... T 


You can view our change loghere > 


Java 11 64 bit is recommended. 


Sample Maltego Download Web Site 


04. How to use the WHOIS XML API Maltego Integration 
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To Domains and IP Addresses (Historical Reverse WHOIS Search) [WhoisXML] 


To Domains and IP Addresses (Reverse WHOIS Search) [WhoisXML] 
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To Historical WHOIS Records [WhoisXML] 


To WHOIS Records [WhoisXML] 
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Before using Maltego users should follow the instructions and grab a proper WhoisXML API 
account which they can later one use for the actual research and OSINT research and analysis 
including the actual enrichment process. 


05. The Case Study 


We've recently came across to a currently active free VPN domains portfolio which based on 
our research and publicly accessible sources appears to be run and operated by the NSA where 
the ultimate goal would be to trick users into using these rogue and bogus free VPN service 
providers in particular lran-based users where the ultimate goal would be to monitor and 
eavesdrop on their Internet activities and we’ve decided to take a deeper look inside the 
Internet-connected infrastructure of these domains and offer practical and relevant threat 
intelligence and cyber attack attribution details on the true origins of the campaign. 


In this case study we'll offer practical and relevant technical information on the 
Internet-connected infrastructure of this campaign with the idea to assist the security community 
on its way to track down and monitor this campaign including to offer actual cyber attack and 
cyber campaign attribution clues which could come handy to a security researcher or a threat 
intelligence analyst on their way to track down and monitor the campaign. 


Original rogue portfolio of fake VPN service domains courtesy of the NSA: 


bluewebx[.Jcom 
bluewebx[.]us 
irst[.Jga 
iranianvpn{[.]net 
IRSV[.JME 
DNSSPEEDY[.]TK 
ironvpn{.]tk 
ironvpn{[.]pw 
irgomake[.]win 
make-account{[.]us 
make-accoun{{. Jir 
IRANTUNEL[.JCOM 
JET-VPN[.]JCOM 
newhost[.]ir 
homeunix[.]net 
vpnmakers[.]com 
hidethisip[.Jinfo 
uk[.]myfastport[.]Jcom 
witopia[.]net 
worldserver[.]in 
music30ty[.Jnet 
misconfused[.Jorg 
privatetunnel[.]Jcom 


aseman-sky[.]in 
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bluewebx.us greadia.us mypanel.us 
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1032.us inspeedy.us shikado.gift 


Related domain registrant email addresses known to have been involved in the 
campaign: 
zodaraxe@yandex[.]com 
2alfaman@gmaill.Jcom 
rossma@aliyun[.]Jcom 
uletmed@gmail[.Jcom 
xy168899@gmaill[.]Jcom 
baoma123654@gmail[.]Jcom 
88guaji@gmail[.]Jcom 
deshintawiida@gmail[.]Jcom 
2710282345@qq[.]Jcom 
youji364558@163[.]com 
ngelaa337@gmail[.]Jcom 
THEPOUTHOOEB@HOTMAIL[.JCOM 
michalrestI@emaill.]cz 
cfwwx2@126[.]Jcom 
20702176@qq[.]com 
ljytyhdeai@foxmaill.Jcom 
2140426952@qq[.]Jcom 
marocsofiane20@gmaill.Jcom 
17891750@qq[.Jcom 
moniqueburorb@yahoo[.]com 
rayyxy@163[.]com 
chaxun@dispostable[.]Jcom 


@ 


uletmed@gmail.com 
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spermx.com pornky.com porniow.com vtrpic.com 


© © © © 


pornvy.com pornonada.com pornoporntube.com pornotubevideos.com 


© © © © 


freshpornty.com pornushkin.com pornodayiz.com coolporntube.com 


Related domains known to have been involved in the campaign: 


gaysexvideo[.Jus 
keezmovies[.]us 
hitporntube[.]com 
enjoyfreesex[.]Jcom 
allfreesextube[.]com 
thegaytubes[.Jcom 
sextubeshop[.]com 
pornfetishexxx[.]Jcom 
ebonypornox[.]com 
freepornpig[.Jcom 
marriagesextube[.]com 
searchporntubes[.]com 
suckporntube[.]com 


darlingmatures[.]com 
pornretrotube[.]Jcom 
teensexfusion[.]net 
rough18[.Jus 
teendorf[.]us 
1retrotube[.]com 
typeteam[.]com 
biosextube[.]Jcom 
hadcoreporntube[.]com 
reporntube[.]Jcom 
telltake[.]com 
asianprivatetube[.]Jcom 
hostednude[.]Jcom 
alfaporn[.Jcom 
sexbring[.]com 
porntubem[.]com 
newerotictube[.]com 
firstretrotube[.]com 
oralsexlove[.]Jcom 
1bdsmtubes[.]Jcom 
hairytubeporn[.Jcom 
brunettetubex[.]com 
tubelatinaporn[.]Jcom 
xxxgaytubes[.Jcom 
analxxxvideo[.]Jcom 
analsexytube[.]com 
aeroxxxtube[.]com 
amateurpornlove[.Jcom 
admingay[.]Jcom 
xxxretrotube[.]com 
xxxshemaletubes[.]com 
hotpornstartube[.]com 
firsttrannytube[.]com 
erotixtubes[.]com 
1pornstartube[.]Jcom 
lasiantube[.]Jcom 
18mpegs[.]com 
maturediva[.]Jcom 
elitematures[.]com 
vipmatures[.]com 
pcsextube[.Jcom 
porn-vote[.Jcom 
pornbrunettes[.]com 
maturedtube[.]com 


alfatubes[.]com 
maturetubesexy[.]com 
justhairyporn[.]Jcom 
hotblowjobporn[.Jcom 
homemadetubez[.]com 
homemadexx[.]com 
golesbiansex[.]Jcom 
fuck-k[.Jcom 
freebdsmxxx[.]Jcom 
emeraldporntube[.]Jcom 
dosextube[.]com 
bigtitslove[.Jcom 
yoursex[.]sexy 
tubez[.]sexy 
japaneseporn[. win 
hdfuck[.]me 
tubelesbianporn[.]Jcom 
vipebonytube[.Jcom 
vipamateurtube[.]com 
largematuretube[.Jcom 
latinosextube[.]com 
xxxhardest[.Jcom 
tubebigtit[.Jcom 
tubesexal[.]Jcom 
realfetishtube[.]com 
pornways[.]com 


2slfaman@gmsil.com 
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vipmstures.com 


PEEXE PEEXE 


at ar 
xsiigeir.exe fc626ddd 1 be70f1 a56d4ce9dc60s07 1... 


Related domains known to have been involved in the campaign: 
qhbzkj[.Jcn 
mmbrbdf[.Jcn 
daosidanbaoJ.]cn 
txxutmgs[.]cn 
sdhsyl[.Jcn 
butrxmgpf[.]cn 
aiin[.]com[.Jcn 
xuxinwuliu[.Jon 
qaqbhvnb[.]cn 
hnidfm[.Jcn 
tjtyfs[.Jon 
china-sum[.]com 
bjyfjh[.Jon 
lianstea[.]cn 
shufaxuetang[.]cn 
wdjjsc[.]cn 
hjstory[.]cn 
domcc[.Jcn 
918mzj[.]Jcom 


chninvest[.]cn 
jfcng[.Jcom 
nksale[.]cn 
davidzhu[.]cn 
tswfg[.Jcn 
realpornmovies[. ]xyz 
freepornosvideo[.]xyz 
xxxpornomovies|. ]xyZ 
sexbring[.]com 
discountsale[.]xyz 
howmanyweeksinayear[.]net 
nutridot[.]xyz 
doomyaffiliate[.]com 
gacha3[.Jonline 
hollybox[.]store 
slimevideoyoutube[.]Jcom 
gooogle|.|site 
vtrpic[.]com 
hg301[.]com 
pornvv[.]Jcom 
voonage[.]com 
pornonada[.]com 
uscab[.]com 
pornoporntube[.]com 
beaces[.]Jcom 
spaziotorte[.]com 
spermix[.]Jcom 
eyew([.Jcom 
pornky[.]Jcom 
cosmos-nc[.]Jcom 
pornlow[.]com 
topbridal[.]Jcom 
coolporntube[.]com 
pornotubevideos[.]com 
freshporntv[.]Jcom 
pornushkin[.]com 
pornodayiz[.]Jcom 
fjser[.]com 
egreenfusion[.]com 
ahbest[.]net 

cvm[.]cn 
spccsd[.Jcom 
kozw[.Jcom 
finalyearprojects[.]net 


ylciyuiw[.]Jcom 
ylcimgsm[.]Jcom 
ylcddldz[.Jcom 
ylchzhvb[.]Jcom 
rhshh[.Jcn 
ylcksqag[.]Jcom 
coodj[.]com 
ylckigoa[.Jcom 
qzguangda[.]Jcom 
ylcawqoaq[.]Jcom 
laohe360[.]net 
ylexzlxd[.Jcom 
miracure-bio[.]Jcom 
nmhxt[.Jcom 
bjaiweiyi[.Jcom 
hermankardon[.]Jcom 
ybcvideo[.]Jcom 
vindowsad[.]net 
hpimsummit[.Jcom 
wilmassage[.]com 
cpfpz[.]Jcom 
gaysexvideo[.Jus 
keezmovies[.]us 
ylcaiyay[.]Jcom 
lewan123[.]com 
tbtmzk[.]Jcom 
haigouusa[.]Jcom 
ztmzp[.Jcom 
hacctv[.]Jcom 
zuikuho[.]Jcom 
enping1[.]com 
xgfxw[.]com 
xzkywx[.]Jcom 
alotof-people[.]com 
choreographyourhealth[.]us 
acwt[.]us 
somethinglovely[.Jus 
onlinestock-investing[.Jus 
lionheartgallery[.Jus 
host4bit[.Jus 
computerpartsdirect[.Jus 
sjb152[.]Jcom 
sjb513[.]Jcom 
sjb073[.]com 


sjb458[.]Jcom 
sjb632[.]com 
sjb272[.]com 
sjb190[.]Jcom 
bighank[.]Jcom 
funskip[.]Jcom 
funnyjp[.]Jcom 
néi[.Jcom 
forgoodfuture[.]Jcom 
dzhfgj[.Jcn 
wbag[.]Jcom 
ceducation[.]cn 
ahound[.]Jcom 
kenchu[.]net 
bigsaks[.Jcom 
7IO[.]com 
psichiomegal[.]us 
blankparkzoo[.]us 
ujdah[.Jus 
my-ask[.]Jcom 
yourtutor[.Jus 
cbdemon|[.]us 
anweigps[.]cn 
szdjt[-Jen 
yooyle[.Jcom[.]cn 
maturediva[.]Jcom 
ccy-sj[.]Jcom[.]cn 
ntdoc[.Jcn 
024jk[.Jcn 
cd8888[.]cn 
tlmlj[.Jon 
bjostore[.Jcom 
lockhan[.Jcn 
yangqiu[.]cn 
bigag[.Jcom 
szcal[.Jorg[.Jcn 
cnturtle[.]Jcom[.]cn 
gzycdz[.]cn 
pdshdzz[.]cn 
zhjzzz[.Jen 
szms678[.]com[.]cn 
taifengzd[.Jcom 
100airport[.Jcn 
rtchache[.]Jcom 


dtcs[.]com[.]Jcn 
szhychem[.]cn 
Iqqz[.]net 
hyfk[.]net 
geoer[.]cn 
jjzyhhy[.Jon 
goroog].]Jcn 
ey-x[.]Jcom 
yabtsf[.]Jcn 
blzyds[.Jcn 
dgtdzs[.]cn 
118km[.Jcn 
ad-cct[.]Jcom 
52huimin[.]com 
zeshangze[.]Jcom 
097 1jz[.]Jcom 
scxzt[.Jcn 
sjzxwg[.]cn 
yhyizhneit[.]Jcom 
51hikao[.]Jcom 
holomovie[.]xyz 
alisale[.]xyz 
itangv[.]Jcom 
qhiqq[.]Jcom 
pdsyicheng[.]Jcom 
sjb925[.]Jcom 
sjb312[.]Jcom 
sjb301[.]Jcom 
yun034[.]com 
zhc240[.]Jcom 
youpindaojia[.]cn 


We'll continue monitoring the campaign and post updates as soon as new developments take 
place. 


